Assessing threat to at least one computer network

ABSTRACT

Apparatus for assessing threat to at least one computer network in which a plurality of systems ( 30   1   , 30   2   , 30   3   , 30   4   , 30   5   , . . . 30   n ) operate is configured to determine predicted threat activity ( 13 ), to determine expected downtime of each system in dependence upon said predicted threat activity, to determine loss ( 12   A   , 12   B   , 12   C   , 12   D   , 12   E   , . . . , 12   m ) for each of a plurality of operational processes ( 31   A   , 31   B   , 31   C   , 31   D   , 31   E   , . . . 31   m ) dependent on the downtimes of the systems, to add losses for the plurality of processes so as to obtain a combined loss ( 12   SUM ) arising from the threat activity.

FIELD OF THE INVENTION

The present invention relates to apparatus for and a method of assessingthreat to at least one computer network.

BACKGROUND ART

Large organizations, such as international banks and other financialinstitutions, rely heavily on their computer systems to carry out theirbusiness operations. Increasingly, organizations are connecting theirnetworks to public networks, such as the Internet, to allow them tocommunicate with their customers and other organizations. However, indoing so, they open up their networks to a wider range and greaternumber of electronic threats, such as computer viruses, Trojan horses,computer worms, hacking and denial-of-service attacks.

To respond to these forms of threat, organizations can implementprocedures, tools and countermeasures for providing network security.For example, they can install intrusion detection and prevention systemsto protect their network. However, even if these security systems areproperly managed and well maintained, their network may still bevulnerable to threat. Furthermore, their network may also be vulnerableto other, non-electronic forms of threat, such as fire, flood orterrorism.

The present invention seeks to provide apparatus for and a method ofassessing threat to a computer network or computer networks.

SUMMARY OF THE INVENTION

According to the present invention there is provided apparatus forassessing threat to at least one computer network in which a pluralityof systems operate, the apparatus configured to determine predictedthreat activity, to determine expected downtime of each system independence upon said predicted threat activity, to determine loss foreach of a plurality of operational processes dependent on the downtimesof the systems, to add losses for the plurality of processes so as toobtain a combined loss arising from the threat activity.

The apparatus may comprise a first module configured to determine thepredicted threat activity, a second module configured to determine theexpected downtime of each system and a third module configured todetermine the loss for each of a plurality of operational processes. Thethird module may be configured to add the losses for the plurality ofprocesses.

The apparatus may be configured to store at least one of the losses andthe combined loss in a storage device. The apparatus may be configuredto display at least one of the losses and the combined loss on a displaydevice.

The apparatus may be further configured to output the predicted threatactivity to a firewall.

The loss may be value at risk.

The apparatus may be configured to retrieve a list of observed threatsand to determine the predicted threat activity based upon the list ofobserved threats.

The observed list of threats may include, for each threat, informationidentifying at least one system. The observed list of threats mayinclude, for each threat, information identifying frequency ofoccurrence of the threat. The frequency of occurrence of the threat mayinclude at least one period of time and corresponding frequency ofoccurrence for the at least one period of time.

The plurality of systems may include a plurality of software systems

According to a second aspect of the present invention there is provideda method of assessing threat to at least one computer network in which aplurality of system operate, the method comprising determining predictedthreat activity, determining expected downtime of each system independence upon said predicted threat activity, determining loss foreach of a plurality of operational processes dependent on the downtimesof the systems, adding losses for the plurality of processes to obtain acombined loss arising from the threat activity.

The method may further comprise storing at least one of the losses andcombined loss in a storage device. The method may further comprisedisplaying at least one of the losses and combined loss on a displaydevice.

According to a third aspect of the present invention there is provided acomputer program, which, when executed by a computer system, causes thecomputer system to perform the method.

According to a fourth aspect of the present invention there is provideda computer readable medium storing the computer program.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention will now be described, by way ofexample, with reference to the accompanying drawings in which:

FIG. 1 is a schematic diagram of two computer networks connected via afirewall, a system for analysing network traffic and a system forassessing threat in one of the computer networks;

FIG. 2 is a detailed schematic diagram of the system for assessingthreat to a computer network shown in FIG. 1;

FIG. 3 illustrates calculation of loss arising from predicted threat;

FIG. 4 is a schematic block diagram of a computer system providingthreat assessment;

FIGS. 5A and 5B are a process flow diagram of a method of predictingthreat activity;

FIG. 6 is a process flow diagram of a method of calculating system risk;and

FIG. 7 is a process flow diagram of a method of calculating predictedloss.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

Referring to FIG. 1, a corporate network 1 is connected to an externalnetwork 2, in this case the Internet, via a firewall 3. The firewall 3filters incoming traffic 4 from the Internet and, optionally, outgoingtraffic 5, according to a security policy (not shown). The corporatenetwork 1 may be provided a single, private network. The network 1 neednot be a corporate network, but can be a government, academic, militaryor other form of private network. The network 1 may include a pluralityof interconnected networks, for example which are geographicallydistributed.

The Internet 2 is a source of electronic threat, such as computerviruses (herein referred to simply as “viruses”), Trojan horses(“Trojans”), computer worms (“worms”), hacking and denial-of-serviceattacks. If a threat enters the corporate network 1 and is not stopped,then it can cause damage within the corporate network 1. For example, avirus may infect information technology (IT) systems 30 (FIG. 3) withinthe corporate network 1 resulting in the loss of one or more operationalprocesses 31 (FIG. 3), for example a business process, either as adirect result of infection and/or as a result of measures taken toremove the virus from the infected system. Loss can also occur as theresult of other forms of attack, such as hacking and denial-of-serviceattacks.

An IT system may be or include software, such as an operating system, anapplication or a combination of operating system and application(s). AnIT system may be or include hardware, such as server(s), storage,network connections or a combination of one or more hardware elements.As will be explained in more detail later, some types of threat, such asvirus, may affect software, and other types of threat, such as fire, mayaffect hardware and/or software. An IT system can be treated, for thepurposes of assessing threats, as a combination of software andhardware.

The degree to which an organisation will be affected by a successfulattack depends on a number of factors, such as the number of IT systems30 (FIG. 3) affected by the attack and the number of operationalprocesses 31 (FIG. 3) relying on the affected IT systems 30 (FIG. 3).

If the likelihood of an attack succeeding can be estimated for a numberof different threats, then this can be combined with knowledge of thelogical structure of IT systems 30 (FIG. 3) within the network 1 andknowledge of processes 31 (FIG. 3) dependent on those IT systems 30(FIG. 3) to predict, for a given period of time, loss to theorganisation due to these threats. In some embodiments, the predictedloss is expressed as a value at risk (VAR). However, the prediction maybe expressed as any value or figure of merit which characterises orquantifies loss to the organisation arising from operational processesbeing disabled.

A module 6 (hereinafter referred to as a “threat analyser”) samplesincoming traffic 4 and identifies threats using a list 7 of knownthreats stored in a database 8. For example, the module 6 may be acomputer system running SNORT (for example release 2.6.0.1) availablefrom www.snort.org.

The threat analyser 6 produces observed threat data 9, which includes alist of observed threats and their frequency of occurrence, and storesthe data 9 in a database 10.

In some embodiments of the present invention, a system 11 for assessingthreat uses models threats to the corporate network 1 so as to predictloss 12 arising from these threats and/or to provide feedback 13 to thefirewall 3.

Each observed threat is defined using an identifier, a name, adescription of the threat, a temporal profile specifying frequency ofoccurrence of the threat, a target (or targets) for the threat and aseverity score for the (or each) target.

The identifier (herein the attribute “Threat ID” is used) uniquelyidentifies a threat. The Threat ID may be string of up to 100characters. For example, the Threat ID may be “Win32.Word.B32 m”.

The target (“Target”) is a system category attacked by the threat.Targets are preferably named in a systematic way. Examples of targetsinclude “Windows.XP” or “Oracle.9i”. Targets can be identified atdifferent levels using a format“system.version[-system.version[-system.version]]”. For example, if athreat attacks Oracle running on Windows XP, then the target may bespecified as “Oracle.9i-Windows.XP”.

A system category may depend on other categories. For example, a companymay have a system which depends on Windows Server 2003 and anothersystem which depends on Windows XP, i.e. two different systemcategories. Thus, if a threat attacks more than one category, such asall versions of Windows, this can be handled by introducing a thirdsystem category, such as Windows, on which both of the other categories,in this example Windows Server 2003 and Windows XP, depend.

The severity score (“SeverityScore”) is a measure of the impact of asuccessful threat. It is not a measure of the prevalence or exposure tothe threat, but rather an indication of the damage that would be causedto the target system. Severity score may also be referred to as “damagelevel”. In this example, the severity score is a value lying in a rangebetween 1 and 10. For example, a value of 1 can represent trivial impactand a value of 10 may represent a catastrophic effect. However, theseverity score may be defined as “low”, “medium”, “high” or “critical”.

The temporal profile is used to describe frequency of occurrence of athreat because loss caused by system downtime may vary according to thetime of the week. The temporal profile may be visible to and/or editableby a user for some types of threat, such as physical threats, and may beimplicit and/or fixed for other types of threat, such as that defined inSNORT data.

The profile is expressed as a sequence of elements, each of which has atime block and a count of the observed occurrences of the threat duringthe block. Threat occurrences are preferably aggregated as far aspossible to provide a simple profile whilst remaining consistent withrecorded instances. A more complex profile can be used if the simpleprofile significantly deviates from recorded instances. For example, ifa threat is observed only a very small number of times, then it isappropriate to specify a uniform time profile. However, if a differentthreat is observed many times and always, for example, on a Mondaymorning, then a more complex profile reflecting the actual distributionmay be used.

Herein the temporal profile is defined in terms of day (attribute“Day”), period of day (“From”, “To”) and frequency (“Count”).

Time blocks need not be same for different threats, although, for anygiven threat, blocks should do not overlap. If a part of a week is notcovered by a block, threat occurrence is assumed to be zero.

The observed threat data is stored as a single file in Extensible MarkupLanguage (XML) format encoded using 8-bit Unicode Transformation Format(UTF) as shown in the following simple example:

<?xml version=“1.0” encoding=“utf-8” ?> <AssessmentSystem Version =“1”><ObservedThreats ObservationStart=“2006-07-31T00:00:00”ObservationEnd=“2006-08-07T00:00:00”> <Threat ID=“Win32.Worm.B32m”Target=“Windows.XP” SeverityScore=“4”> <Observation From=“00:00:00” To=“12:00:00” Count=“8”/> <Observation From=“12:00:00” To=“00:00:00”Count=“1”/> </Threat> <Threat ID=“Linux.Trojan.A12s” Target=“Oracle.9i”SeverityScore=“6”> <Observation Day=“Monday” Count=“50”/> <ObservationDay=“Tuesday Wednesday” Count=“23”/> <Observation Day=“Thursday FridaySaturday” Count=“11”/> <Observation Day=“Sunday” Count=“0”/> </Threat><Threat ID=“DenialOfService” Target=“IIS” SeverityScore=“2”><Observation Day=“Sunday” From=“00:00:00” To=“08:00:00” Count=“1154”/><Observation Day=“Sunday” From=“08:00:00” To=“16:30:00” Count=“237”/><Observation Day=“Monday” To=“12:00:00” Count=“350”/> <!--From is00:00:00--> <Observation Day=“Monday” From=“12:00:00” Count=“208”/><!--To is 00:00:00--> <Observation Day=“Tuesday Wednesday ThursdayFriday Saturday” Count=“2134”/> </Threat> </ObservedThreats> </AssessmentSystem >

In the example just given, three different types of observed threat arespecified, namely a virus “Win32.Worm.B32 m”, a Trojan“Linux.Trojan.A12s” and a denial-of-service attack “DenialOfService”.However, it will be appreciated that there may be many more observedthreats, e.g. tens or hundreds of thousands of threats or more.

Referring to FIG. 2, the threat assessment system 11 includes a firstmodule 14 (hereinafter referred to as an “activity predictor”) forpredicting threat activity affecting the corporate network 1.

The activity predictor 14 receives the observed threat data 9 from thedatabase 10, for example by retrieving the data automatically or inresponse to user instruction, extrapolates future event frequency andproduces a profile 13 of predicted threat activity, which includes alist of predicted threats and their expected frequency of occurrence.The predicted threat activity profile 13 may be stored in a database 16.

Event frequency can be extrapolated from the historical data using avariety of editable factors which can be based upon advice from securityconsultants, political factors and so on.

Each predicted threat is defined using an identifier, a name, adescription, a frequency of occurrence, a category (or categories) ofsystem attacked and a corresponding damage level for each system.

A user, via input device 17, can manually add information 18 about otherelectronic and non-electronic forms of threat so that it can be added tothe predicted threat activity profile 13.

Non-electronic forms of threat include, for example, fire, flood andterrorism attack. Information about non-electronic forms of attack isarranged in a similar way to information about electronic forms ofthreat and include, for each threat, an identifier, a name, adescription and frequency of occurrence, categories of system attackedand corresponding damage levels.

The user can also provide or edit information about threat. For example,they can specify data regarding, extrapolation factors, the IT systemssubject to attack, such as its identity, name and category identity,systems categories, such as its identity and name, operationalprocesses, such as its identity, name and value, and processdependencies, such as process identity, system identity, dependencydescription and dependency level.

As shown in FIG. 2, the predicted threat activity profile 13 can be fedback to the firewall 3 to tune its operation.

The threat assessment system 11 includes a second module 19 (hereinafterreferred to as a “system risk calculator”) for calculating system risk.

The system risk calculator 19 receives the predicted threat activityprofile 13 (either from the activity predictor 14 or the database 16)and information 20 about the IT systems 30 (FIG. 3) and the categoriesto which they belong from a systems database 21 and produces a riskprofile 22 to the systems 30 (FIG. 3) in terms of predicted averagedowntime over a given period, usually specified to be a year. The risk22 can be stored in database 23.

Each IT system 30 (FIG. 3) is defined by identity and a name. Systemcategories, i.e. targets, may include operating systems, applicationsand server location.

An IT system may be defined in terms of physical location. This may beused to identify threats to some types of threat, such as fire,flooding, terrorism, power loss and so on.

The system 11 includes a third module 24 (hereinafter referred to as a“predicted loss calculator”) for predicting the loss to theorganisation.

The predicted loss calculator 24 receives the system risk 22 and data 25listing operational processes from a database 26, then predicts the lossfor each operational process, aggregates the results for each processand outputs predicted loss data 12. The predicted loss data 12 may bestored in database 28 and/or output on display device 29.

Each process is defined by identity and a name, value in terms of thecost of downtime. The dependency of each process on an underlying ITsystem is defined by process identity, system identity, dependencydescription and dependency level.

Referring also to FIG. 3, the predicted loss calculator 24 considers thesystem risk 22 for the IT systems 30, 30 ₁, 30 ₂, 30 ₃, 30 ₄, . . . , 30_(n) on which each process 31, 31 _(A), 31 _(B), 31 _(C), 31 _(D), 31_(E), . . . , 31 _(m), depends via dependencies 32 and the value of theprocess and aggregates values 12 _(A), 12 _(B), 12 _(C), 12 _(D), 12_(E), . . . , 12 _(m), for each process so as to produce a value 12_(SUM) for all processes. The predicted loss calculator 24 applies thesystem risk 22 to system categories 33, 33 _(α), 33 _(β), 33 _(χ), . . ., 33 _(ζ) which are related to the systems 30, 30 ₁, 30 ₂, 30 ₃, 30 ₄, .. . , 30 _(n) by dependencies 34 and the considers how the risk affectseach IT system 30, 30 ₁, 30 ₂, 30 ₃, 30 ₄, . . . , 30 _(n).

In FIG. 3, only one level or layer of system category 33 is shown forclarity. However, as will be explained in more detail, there may beadditional levels of system category 33 such that one or more systemcategories 33 in a lower level may depend on a system category in ahigher level. Thus, a system 30 may depend on one or more systemcategories 33, which may arranged in one or more layers.

For example, a system category 33 in a higher level may be Windows andsystem categories 33 in a lower level may be Windows Server 2003 andWindows XP. A system 30 may be a corporate server which depends onWindows Server 2003 and another system 30 could be desktop computerwhich depends on Windows XP.

System categories 33 may be omitted and so threats to systems 30 may beconsidered directly.

The threat assessment system 11 can output a report of the predictedloss, e.g. an aggregate value at risk, to the organisation for eachprocess in terms of process name, estimated annual downtime andpredicted loss. For example, the report can be shown on the displaydevice 29, for example, as a bar chart of predicted loss for eachprocess and can be exported as a database file, such as an Microsoft®Excel® file (e.g., with an “.xls” extension) or in eXtensible MarkupLanguage file, (e.g., with an “.xml” extension).

Referring to FIG. 4, the threat assessment system 11 (FIG. 2) isimplemented in software on a computer system 35 running an operatingsystem, such as Windows, Linux or Solaris. The computer system 35includes at least one processor 36, memory 37 and an input/output (I/O)interface 38 operatively connected by a bus 39. The I/O interface 38 isoperatively connected to the user input 17 (for example in the form of akeyboard and pointing device), display 29, a network interface 40,storage 41 in the form of hard disk storage and removable storage 42.

Computer program code 43 is stored in the hard disk storage 38 andloaded into memory 37 for execution by the processor(s) 36 to providethe modules 14, 19, 24. The computer program code 43 may be stored onand transferred from removable storage 42 or downloaded via the networkinterface 42 from a remote source (not shown).

The threat assessment system 11 generally has two modes of operation tomeet different operational criteria.

In a “live mode”, the activity predictor 14 periodically, for exampledaily, connects to the known threat database 10 (which is preferablycontinuously updated), retrieves the observed threat profile 9 andproduces a new predicted activity 13. The predicted activity 13 is fedback to the firewall 3.

In an “analysis mode”, a snapshot of the observed threat profile 9 istaken, predicted loss is assessed and a report produced.

Operation of the threat assessment system 11 will now be described inmore detail.

The threat assessment system 11 uses an activity prediction process toextrapolate series of numbers in several places to find the next valuein the series. In this example, weighted linear extrapolation is used,although other methods may be used, such as polynomial extrapolation.

Weighted linear extrapolation involves fitting a straight line y=mx+cthrough supplied data, finding values for the parameters m and c, andthen using these parameters to find a value for y corresponding to avalue of x beyond the range of that data.

A so-called “best fit” line is the one which is as close to as many ofthe supplied data points as possible. The closeness at a single pointx_(i) is given by the residual r_(i), namely:r _(i) =y _(i)−(mx _(i) +c)  (1)

The overall quality of fit is given by the summed square of all theresiduals, each weighted by the corresponding weighting factor:

$\begin{matrix}{S^{\prime} = {\sum\limits_{i = 1}^{n}{{w_{i}\left( {y_{i} - \left( {{mx}_{i} + c} \right)} \right)}^{2}.}}} & (2)\end{matrix}$

The best fit line is found by minimising S′ with respect to m and c.

The minimum may be found by differentiating S′ with respect to m and c.

$\begin{matrix}{\frac{\partial S^{\prime}}{\partial m} = {{- 2}{\sum{{wx}\left( {y - \left( {{mx} + c} \right)} \right)}}}} & (3) \\{\frac{\partial S^{\prime}}{\partial c} = {{- 2}{\sum{w\left( {y - \left( {{mx} + c} \right)} \right)}}}} & (4)\end{matrix}$where the summations are from 1 to n for w, x and y.

The minimum is found where the differentials are 0, therefore:Σwx(y−(mx+c))=0  (5)Σw(y−(mx+c))=0  (6)Σwxy−mΣwx ² −cΣwx=0  (7)Σwy−mΣwx−cΣw=0  (8)

Equation (8) may be re-arranged to find c:

$\begin{matrix}{c = \frac{{\sum{wy}} - {m{\sum{wx}}}}{\sum w}} & (9)\end{matrix}$and, by substitution, m can be found:

$\begin{matrix}{m = \frac{{\sum{w{\sum{wxy}}}} - {\sum{{wx}{\sum{wy}}}}}{{\sum{w{\sum{wx}^{2}}}} - \left( {\sum{wx}} \right)^{2}}} & (10)\end{matrix}$

Analogously,

$\begin{matrix}{m = \frac{{\sum{wy}} - {c{\sum w}}}{\sum{wx}}} & (11) \\{{{\sum{wxy}} - {\frac{\sum{wx}^{2}}{\sum{wx}}\left( {{\sum{wy}} - {c{\sum w}}} \right)} - {c{\sum{wx}}}} = 0} & (12) \\{{{\sum{{wx}{\sum{wxy}}}} - {\sum{{wx}^{2}{\sum{wy}}}}} = {c\left( {\left( {\sum{wx}} \right)^{2} - {\sum{w{\sum{wx}^{2}}}}} \right)}} & (13) \\{c = \frac{{- {\sum{{wx}{\sum{wxy}}}}} + {\sum{{wx}^{2}{\sum{wy}}}}}{{\sum{w{\sum{wx}^{2}}}} - \left( {\sum{wx}} \right)^{2}}} & (14)\end{matrix}$Given m and c from the formulae above, the series may be extrapolated topoint n+1:y _(n+1) =mx _(n+1) +c  (15)

Referring to FIGS. 1 to 4, 5A and 5B, and operation of the activitypredictor 14 will be described in more detail.

The activity predictor 14 retrieves the observed threat data 9 from theobserved threat database 10 (step S1) and sets about determining a timeprofile for each target, each time profile defined in terms of one ofmore time blocks and the number of successful threats expected in eachtime block (steps S2 to S13).

In this example, threats are generally divided into three categories,namely malicious codes (e.g. viruses, Trojans and worms), attacks (e.g.hacking and denial-of-service attacks) and non-electronic forms ofattack (e.g. fire and terrorist attacks). Fewer categories may bedefined, for example, by excluding non-electronic forms of attack.However, additional categories or sub-categories may be defined oradded, for example as new forms of threat emerge. It will be appreciatedthat these threats can be assessed in any order and may even beevaluated simultaneously, for example, if a multi-core computer system35 is used.

Equations (9), (10) and (15) and/or (13), (14) and (15) above are usedto predict the number of viruses (or other forms of malicious code)using input data specified in Table I below:

TABLE I Item Source Symbol Number of viruses seen by SNORT obs_(t/p)^(v) target t and period p Number of viruses contracted by Usercontr_(p) ^(v) period p Number of new viruses worldwide bywww.wildlist.org new_(p) ^(v) period p

The number of viruses seen by a target in a period, obs_(t/p) ^(v), isobtained from the threat analyser 6 running SNORT (or other intrusiondetection program). The number of viruses contracted in the given periodof time, contr_(p) ^(v), is specified, via input device 17, by the user.The number of new viruses worldwide in a period, new_(p) ^(v), isobtained from a virus (or other malicious software) informationgathering organisation, such as The Wildlist Organization(www.wildlist.org). The period, p, may be, for example, one week or fourweeks. However, other periods, such n-weeks or n-months may be used,where n is positive integer.

The activity predictor 14 takes the number of viruses seen by a targetfor a given period of time, obs_(t/p) ^(v) and extrapolates the observedviruses to give the predicted number of viruses by target in the givenperiod, pred_(p) ^(v) (step S2). The value for each target will be usedto calculate the number of viruses expected to be contracted by thetarget.

The activity predictor 14 normalizes the predicted number of viruses bytarget in the given period, pred_(p) ^(v), to give a predicted fractionof viruses attacking each target, frac pred_(t) ^(v), by dividing thepredicted number, pred_(t) ^(v) by the total number of new maliciouscodes which have been observed over the same period (step S3).

Steps S2 and S3 can be summarised as follows:

The activity predictor 14 divides the number of viruses contracted ineach period, contr_(p) ^(v) by the number of new viruses worldwide inthat period, new_(p) ^(v), to give the fraction of new virusescontracted in each period, frac contr_(p) ^(v) (step S4). The activitypredictor 14 extrapolates this value to give the predicted fraction ofnew viruses that will be contracted, pred frac contr^(v) (step S5).

Steps S4 and S5 can be summarised as follows:

$\frac{{contr}_{p}^{v}}{{new}_{p}^{v}} = {{frac}\mspace{14mu}{{contr}_{p}^{v}\overset{extrapolate}{\longrightarrow}{pred}}\mspace{14mu}{frac}\mspace{14mu}{contr}^{v}}$

The activity predictor 14 extrapolates the number of new viruses,new_(p) ^(v), to give a predicted number of new viruses (step S6), i.e.:

${{new}_{p}^{v}\overset{extrapolate}{\longrightarrow}{pred}}\mspace{14mu}{new}^{v}$

The activity predictor 14 multiplies the predicted fraction of newviruses that will be contracted, pred frac contr^(v), by the number ofnew viruses, new_(p) ^(v), to give the predicted number of new virusescontracted, pred contr^(v) (step S7), i.e.:pred contr^(v)=pred frac contr^(v)×pred new^(v)

The activity predictor 14 multiplies the fraction of viruses for eachtarget, frac pred_(t) ^(v), by the predicted number of virusescontracted, pred contr^(v), to give the predicted number of virusescontracted by target, pred contr_(t) ^(v) (step S8), namely:pred contr_(t) ^(v)=frac pred_(t) ^(v)×pred contr^(v)

Finally, the activity predictor 14 copies the time and severity profilefor predicted viruses contracted directly from obs_(t/p) ^(v) (step S9).For example, for each instance of a virus, the identity of the virustogether with its time profile and severity profile is added to a table.This provides the predicted number of viruses contacted by target withtime profile.

The activity predictor 14 uses equations (9), (10) and (15) and/or (13),(14) and (15) to carry out a similar process for predicting the numberof hacking, denial-of-service attacks and other similar forms of attack,using input data specified in Table II below, using the following steps:

TABLE II Item Source Symbol Number of attacks seen by target t andperiod p SNORT obs_(t/p) ^(a) Number of successful attacks by period pUser contr_(p) ^(a)

The activity predictor 14 extrapolates observed attacks, obs_(t/p) ^(a),to give predicted number of attacks by target, pred_(t) ^(a) (step S10)and normalizes this to give predicted fraction of attacks attacking eachtarget, frac pred_(t) ^(a) (step S11).

Steps S10 and S11 can be summarised as follows:

The activity predictor 14 extrapolates the number of successful attacksto give the predicted number of successful attacks, pred contr^(a) (stepS12), i.e.:

The activity predictor 14 multiplies the predicted number of successfulattacks, pred contr^(a), by predicted fraction of attacks attacking eachtarget, frac pred_(t) ^(a), to give the predicted number of successfulattacks by target (step S13), i.e.pred contr_(t) ^(a)=frac pred_(t) ^(a)=pred contr^(a)

The activity predictor 14 copies time and severity profile for predictedsuccessful attacks directly from obs_(t/p) ^(v).

For non-electronic threats, the user can provide the expected number ofdisabling events on the target with a given time profile (step S14).

The activity predictor 14 stores the expected number of malicious codes,attacks and disabling events in the predicted threat activity profile 13(step S15).

Referring to FIGS. 1 to 4 and 6, operation of the system risk calculator19 will now be described in more detail.

For each threat, the risk calculator 19 carries out the following steps,namely steps S16 to S19.

The risk calculator 19 determines downtime for a system category 33,i.e. a target, based on the expected damage level for the successfulthreat (step S16). In this example, this is done using the value of theattribute “SeverityScore” using a look-up table giving a downtime foreach SeverityScore for each system category. The risk calculator 19 canadjust the downtime, for example by taking into account mitigatingfactors, such as whether the system can operate in a safe mode andwhether back-up systems are available (step S17). The risk calculator 19multiplies each adjusted downtime by the frequency of occurrence of thesuccessful threat to obtain a value of the total downtime for the threat(step S18). The risk calculator 19 then adds the downtime to anaccumulated downtime for the system category (step S19).

For each system 30, the risk calculator 19 adds up downtimes ofdependencies of the system categories 33 on which the system 30 dependsand, if appropriate, dependencies of the system categories on whichthose system dependencies depend (step S20). Circular dependencies amongcategories may be forbidden.

Referring to FIGS. 1 to 4 and 7, operation of the predicted losscalculator 24 will now be described in more detail.

For each operational process, the predicted loss calculator 24 adds uppredicted downtimes of the system categories on which it depends todetermine a duration for which the process is unavailable (step S21).The predicted loss calculator 24 multiplies the duration by a value ofthe process to quantify the loss 12 _(A), 12 _(B), 12 _(c), 12 _(D), 12_(E), . . . , 12 _(m) for the process (step S22). For example, the valueof the process may be a monetary value (e.g. given in pounds sterlingper hour or dollars per day) and the loss may be value at risk for theprocess.

Once losses 12 _(A), 12 _(B), 12 _(C), 12 _(D), 12 _(E), . . . , 12_(m), for each process have been determined, the predicted losscalculator 24 adds the losses 12 _(A), 12 _(B), 12 _(C), 12 _(D), 12_(E), . . . , 12 _(m), for all the processes to obtain a loss to theorganisation (step S23).

The loss 12 _(A), 12 _(B), 12 _(C), 12 _(D), 12 _(E), . . . , 12 _(m)for each process and the loss 12 _(SUM), to the organisation can bestored in database 28 and/or exported. As explained earlier, some or allof the losses 12 _(A), 12 _(B), 12 _(C), 12 _(D), 12 _(E), . . . , 12_(m), 12 _(SUM), can be displayed, for example as a bar chart, ondisplay device 29.

It will be appreciated that many modifications may be made to theembodiments hereinbefore described.

The invention claimed is:
 1. Apparatus for assessing threat to at leastone computer network, the threat including at least one electronicthreat, the computer network comprising a plurality of IT systems and aplurality of business processes operating on the plurality of ITsystems, wherein (a) at least one IT system has two or more of theplurality of business processes operating thereon or (b) at least onebusiness process operates on two or more of the plurality of IT systems,the apparatus comprising at least one processor and a memory coupled tothe processor, the memory storing instructions executable by theprocessor that cause the processor to: predict future threat activitybased on past observed threat activity including, for the at least oneelectronic threat, to receive observed threat data from a database, toextrapolate future event frequency and to produce a profile of predictedthreat activity, wherein the observed threat data includes observedthreats and, for each observed threat, one or more targets for theobserved threat and a severity score for each target, determine expecteddowntime of each system of the plurality of IT systems in dependenceupon said predicted threat activity including the severity scores andextrapolated future event frequency, determine loss for each of theplurality of business processes dependent on the downtimes of the ITsystems, and add losses for the plurality of business processes so as toobtain a combined loss arising from the threat activity.
 2. Theapparatus according to claim 1, wherein the instructions comprise: afirst module configured to determine the predicted threat activityincluding, for the at least one electronic threat, to receive observedthreat data from a database, to extrapolate future event frequency andto produce a profile of predicted threat activity, wherein the observedthreat data includes observed threats and, for each observed threat, oneor more targets for the observed threat and a severity score for eachtarget; a second module configured to determine the expected downtime ofeach IT system of the plurality of IT systems in dependence upon saidpredicted threat activity including the severity scores and extrapolatedfuture event frequency; and a third module configured to determine theloss for each of a plurality of business processes.
 3. The apparatusaccording to claim 2, wherein the third module is configured to add thelosses for the plurality of business processes.
 4. The apparatusaccording to claim 1, wherein the apparatus is further configured tostore at least one of the losses and the combined loss in a storagedevice.
 5. The apparatus according to claim 1, wherein the apparatus isconfigured to display at least one of the losses and the combined losson a display device.
 6. The apparatus according to claim 1, furtherconfigured to output the predicted threat activity to a firewall.
 7. Theapparatus according to claim 1, wherein loss is value at risk.
 8. Theapparatus according to claim 1, wherein the observed list of threatsincludes, for each threat, information identifying at least one system.9. The apparatus according to claim 1, wherein the observed list ofthreats includes, for each threat, information identifying frequency ofoccurrence of the threat.
 10. The apparatus according to claim 9,wherein the frequency of occurrence of the threat includes at least oneperiod of time and corresponding frequency of occurrence for the atleast one period of time.
 11. The apparatus according to claim 1 whereinthe plurality of IT systems include a plurality of software systems. 12.A method of assessing threat to at least one computer network, thethreat including at least one electronic threat, the network comprisinga plurality of IT systems wherein a plurality of business processesoperate on the plurality of IT systems, and wherein (a) at least one ITsystem has two or more of the plurality of business processes operatingthereon or (b) at least one business process operates on two or more ofthe plurality of IT systems, the method comprising, by using at leastone computer processor: predicting threat activity based on pastobserved activity including, for the at least one electronic threat, toreceive observed threat data from a database, to extrapolate futureevent frequency and to produce a profile of predicted threat activity,wherein the observed threat data includes observed threats and, for eachobserved threat, one or more targets for the observed threat and aseverity score for each target; determining expected downtime of theplurality of IT systems in dependence upon said predicted threatactivity including the severity scores and extrapolated future eventfrequency; determining loss for the plurality of business processesdependent on the downtimes of the IT systems; adding losses for theplurality of business processes to obtain a combined loss arising fromthe threat activity.
 13. The method according to claim 12, furthercomprising: storing at least one of the losses and combined loss in astorage device.
 14. The method according to claim 12, furthercomprising: displaying at least one of the losses and combined loss on adisplay device.
 15. A non-transitory computer readable medium storing acomputer program which when executed by a computer system, causes thecomputer system to perform a method of assessing threat to at least onecomputer network, the threat including at least one electronic threat,the computer network comprising a plurality of IT systems wherein aplurality of business processes operate on the plurality of IT systems,and wherein (a) at least one IT system has two or more of the pluralityof business processes operating thereon or (b) at least one businessprocess operates on two or more of the plurality of IT systems, themethod comprising: predicting threat activity based on past observedactivity including, for the at least one electronic threat, to receiveobserved threat data from a database, to extrapolate future eventfrequency and to produce a profile of predicted threat activity, whereinthe observed threat data includes observed threats and, for eachobserved threat, one or more targets for the observed threat and aseverity score for each target; determining expected downtime of each ofthe plurality of IT systems in dependence upon said predicted threatactivity including the severity scores and extrapolated future eventfrequency; determining loss for the plurality of business processesdependent on the downtimes of the IT systems; adding losses for theplurality of business processes to obtain a combined loss arising fromthe threat activity.